54 comments

[ 4.8 ms ] story [ 121 ms ] thread
Read about this the other day but I have yet to be able to reproduce port scanning.
me neither on a Mac, and the article mentions that it doesn't happen on Linux. It might be restricted (or allowed) in Windows only
Me and a coworker found that uBO blocks it. Also from my tests without uBO enabled it didn't scan every time (seemed to only scan when logged out, but that could have been a coincidence)
Note that a browser firewall like uBlock Origin with EasyPrivacy (easylist.to) already blocks this: https://imgur.com/s7efEez.png
This image doesn't show any local ports trying to be accessed. I'm guessing this endpoint is what gets called after the scan is completed, but context is missing to be certain.
Ah, sorry. I searched HN stories for "eBay" and didn't find anything. Not sure why that story's author chose "This Website" for the title.
Your article links to that exact story though.
Yes, and the vague article title was a big reason I submitted this one instead. :-)

I thought about submitting the other article with my own title, but I didn't want to "editorialize".

Fair enough, they’re doing it to protect their business.

But why should a user have to subject their machine internals to inspection by eBay? And, without their consent.

Visiting a website implies consent.
Not in the GDPR.
GDPR allows "necessary" data processing for "legitimate interests". IANAL but I believe a non-damaging portscan to check for security issues to be allowed. Especially as eBay has the legitimate interest to ward off fraud - and customers have the legitimate interest to have their accounts protected.
Then they need to disclose that behavior. Because my firewall marks portscans as a malicious activity.
Since the portscan happens clientside on 127.0.0.1 I doubt your firewall will be able to notice the portscan.
That depends if you use IPv4 with NAT like almost everyone on a residential Internet uplink or IPv6 with a public routed address...
127.0.0.1 (aka localhost) isn't affected by your NAT setup. Your browser initiates this scan on the local loopback device, so the traffic will never even leave your computer (even on linux, it's somewhat difficult to get it to route 127.0.0.1 to another computer and it'll break a lot of applications in the process or make them insecure).

IPv6 with a public routed address still means there is a firewall, just like with NATv4. NATv4 just also has a NAT router with that firewall.

> non-damaging protscan

Tell that to every corporation on Earth, especially to Banks, that "port scanning your perimeter is an innocent thing". Tell that your employer as well and do tell us what's your job status afterwards.

(I am not downvoting the utterly silly grey comments - I want them to be visible to a) ;)

Consent is a voluntary agreement to something. Port scanning is definitely not something I would expect when browsing the web (And based on the amount of upvotes on the last thread, not something most of HN would expect), so how can I be consenting to it without knowing about it?
> Port scanning is definitely not something I would expect when browsing the web (And based on the amount of upvotes on the last thread, not something most of HN would expect)

Then you're a fool, frankly. Plenty of online services, web or otherwise, use port scans as a means to detect such things as open proxies or open MTAs.

What percentage of ebay visitors even know what portscanning is? How can somebody consent to something they aren't aware of, don't anticipate, and certainly don't even understand? Your notion of "consent" is an utter joke.
They might not know what port scanning is, but can they agree to "anti-fraud measures?"
Maybe they might agree to such anti-fraud measures, but I don't think they have. I don't consider 'ignoring the terms of use buried at the bottom of the page or in small print' a legitimate form of indicated consent.
Agree with you that simply putting something in the terms of use doesn't necessarily indicate agreement. If they're only doing it to signed in users, then presumably they had the terms put in front of them at some point, but I think your objection is still fair in any case.

To what extent do they need consent to port scan, though? They're not intending to do anything malicious, and in fact (assuming you are the owner of the account that's signed in) they're doing it partly to benefit you. Is there a law against port scanning? Does it affect users in any way?

What percentage of eBay users know what an IP address is?
(comment deleted)
Open ports which are accessible to the Internet at large are not "machine internals". If you do not want someone to access your systems, then you should configure your systems to not allow that access.
"It's not my fault I can break into your house and steal everything"
They are scanning 127.0.0.1 locally from the browser, so the ports do not need to be internet-accessible.
They are open ports which are accessible to the Internet at large. Or at least, any site you go to. If you don't like that there are various means to close off those ports to your browsers (Windows firewall, network namespaces, etc).
It is illegal for me to perform a portscan. Why it is legal for eBay, who knows?
This is suppose to help with fraud? Lets be serious for a moment. The only thing that this is going to change is that the supposedly hacked computers will no longer run VNC on standard ports.

I think what we might be seeing here is the outcome of some overpaid consultant's claim that they can protect ebay from fraud with 'sophisticated' malware detection.

Has anyone investigated how this protection works? That is, deliberately create an eBay account, log into eBay using a remote tool, and trigger the fraud detection? My curiosity is piqued, but I don't have an account to offer up.

I'm wondering if eBay displays a fraud warning, or pretends to allow the transaction to occur (shadow bidding?), or just hellbans the account being used.

For shill-bidding farms, the obvious counter is to move remote screen access to non-standard ports, or move to headless browser operation via other scripting methods.

It probably does nothing directly.

It will just feed the data-point into an anti-fraud/anti-spam system along with everything else.

And the anti-fraud/anti-spam system is probably a machine learning black box. It will learn if this data-point is actually correlated with naughty behaviour, and what other factors are usually correlated.

It might be some kind of system that tries to determine if the client is a ‘normal’ browser.
It helps but there are projects like censys.io and shadowserver ebay can use instead of a direct scan.

Bad guys do use compromised seevers and devices,often it's bind() shell (like a webshell) that can easily be detected. I think it helps when they use compromised hosts as proxies to avoid IP restrictions.

Let's be serious for a moment. A computer that is hacked and running remote access programs poses a MUCH higher risk of account hi-jacking for ebay and paypal purposes than another computer.

Feed that into a system that monitors lots of other inputs, and you start to build improved fraud detection systems. Most of these systems benefit significantly from long tail / long history monitoring - all the other providers of systems in this space try to get beacons onto virtually all the pages you visit, monitor all mouse and other movements you carry out etc.

Why not this pretty simple and straightforward explanation vs something complicated about overpaid consultants? Amazon does $80B of sales or something per year. Each 1% of fraud on this platform is worth $800 million. How overpaid must a consultant be who can knock this down?

I'm curious how someone with crypt in their name would ignore obvious remote access trojan installs as a threat vector?

I'm not ignoring anything. I'm simply stating that this is not an effective prevention method. I'm even going to argue that this can potentially _hurt_ whatever fraud system they have in place, as it could create a lot of false-negatives. Once the fraudsters pick up on this they'll change the ports. From then on, this script is useless.

At best, the result of the data points created by this script is going to create a temporary drop in fraud, which can be used by the aforementioned 'consultant' to claim (premature) victory. Give it a month or two, and the fraud numbers are going to go back to their previous levels.

Do you deal with fraud issues. My guess is not. "The fraudsters may adapt" is a complaint with almost all fraud fighting approaches - and yet many even older methods STILL have value even if fraudsters could work around them. Many fraudsters are using scripts and tools they don't even know how to modify but that circulate and are used. In person use has geo checks, so easy to avoid by using cards in a local area - but fraud prevention STILL picks up out of billing zip attempts at use.

So you'll be wrong here. And even a 6 month decline in fraud is highly valuable to any of these large scale players.

You're assuming that the 'bad guys' pay attention and look closely enough to even see that this detection exists and figure out how to bypass it.
The ones who made the software probably are.

The rest just need to notice they're no longer making money and being 1337, will get updated h4xx0r t00lz once the first group releases them.

Is it possible to configure uMatrix so it either blocks WebRTC completely or asks when a page tries to use it?
eBay's technique does not use WebRTC at all.
This site is a standard reblogger. They just regurgitate stuff that they find on other sites or even reddit and Facebook. They don’t add anything new to the story. If anything they take away some context from when it was originally reported. I some how despise it a lot, the y provide no value but consistently take away advertisement dollars and clicks from the original author.
Bleeping isn't churnalism. Daft name, so for the longest time I assumed it was garbage, but Lawrence and crew actually do good work.
Copying the JavaScript to “beautifier(.)io” will show that this script does more than just poet scan. It also uses some low-level fingerprinting techniques using flash and various fonts to determine browser type. It also produces a public and private key.
So you are saying this violates GDPR if it is done without user consent?
I used to be able to turn off Websockets in Firefox (still can with Icecat), why was this feature removed?
> This makes sense as the programs being scanned for are all Windows remote access tools.

Wait. VNC is a Windows remote access tool? LOL.